Methods, storage systems and computer program products implement embodiments of the present invention that include identifying multiple host computers executing respective instances of a specific software application, each given instance on each given host computer including a set of program instructions loaded, by the host computer, from a respective storage device. Information on actions performed by the executing instances is collected from the host computers, and features are computed based on the information collected from the multiple host computers. The collected information for a given instance are compared to the features so as to classify the given instance as benign or suspicious, and an alert s generated for the given instance only upon classifying the given instance as suspicious.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
2. The method according to claim 1, wherein the action type for a given action comprises creating or injecting a process, and wherein the entity for the given action comprises a process having a process name.
This invention relates to cybersecurity, specifically detecting and mitigating malicious activities in computing systems. The problem addressed is the need to identify and prevent unauthorized or harmful actions, such as the creation or injection of malicious processes, which can compromise system integrity and security. The method involves monitoring system activities to detect actions of a specific type, such as creating or injecting a process. Each detected action is analyzed to determine its associated entity, which in this case is a process identified by its process name. By tracking these actions and their entities, the system can identify suspicious or unauthorized activities, such as the creation of a process with a known malicious name or the injection of a process into another legitimate process. The method helps in distinguishing between legitimate and malicious actions, allowing for timely intervention to prevent security breaches. The approach enhances system security by providing a mechanism to detect and respond to process-related threats, ensuring that only authorized and safe processes operate within the system.
3. The method according to claim 1, wherein the action type for a given action comprises accessing a domain, and wherein the entity for the given action comprises a domain name.
A method for monitoring and analyzing user actions on a computing device, particularly focusing on domain access activities. The method involves tracking user interactions with domains, where each action is categorized by an action type and associated with an entity. For domain access actions, the action type specifies that the action involves accessing a domain, and the entity is identified by a domain name. This allows for detailed logging and analysis of domain-related activities, such as website visits or network requests, enabling security monitoring, performance analysis, or user behavior tracking. The method may also include additional steps such as recording timestamps, user identifiers, or other contextual data to provide a comprehensive view of domain access patterns. By distinguishing domain access actions from other types of actions and explicitly linking them to domain names, the method facilitates targeted analysis and reporting of domain-related activities, which can be useful for cybersecurity, network management, or compliance purposes. The system may further process this data to detect anomalies, enforce policies, or generate insights into user behavior.
4. The method according to claim 1, wherein the action type for a given action comprises accessing an Internet Protocol (IP) address, and wherein the entity for the given action comprises an IP address.
A system and method for monitoring and analyzing network activity involves tracking actions performed by entities within a network. The method includes detecting actions, determining the type of each action, and identifying the entity associated with the action. For certain actions, the action type involves accessing an Internet Protocol (IP) address, and the entity is also identified by an IP address. This allows for detailed tracking of network communications, including source and destination IP addresses, to monitor traffic patterns, detect anomalies, or enforce security policies. The system may log these actions for further analysis, enabling network administrators to identify unauthorized access attempts, track data flows, or optimize network performance. The method supports real-time monitoring and historical analysis, providing insights into network behavior and potential security threats. By correlating action types with specific entities, the system enhances visibility into network operations, facilitating proactive management and threat detection.
5. The method according to claim 1, wherein the action type for a given action comprises accessing an autonomous system number (ASN) address, and wherein the entity for the given action comprises an ASN.
This invention relates to network security and monitoring, specifically for tracking and analyzing actions involving autonomous system numbers (ASNs). The problem addressed is the need to accurately identify and monitor network actions that involve ASNs, which are critical for routing and security in internet infrastructure. The invention provides a method to classify and process network actions based on their type and the entities involved, with a focus on ASN-related activities. The method involves determining the action type for a given network action, where the action type includes accessing an ASN address. The entity associated with this action is also identified as an ASN. This allows for precise tracking of network interactions involving ASNs, which can be used for security monitoring, traffic analysis, or compliance purposes. The method ensures that ASN-related actions are properly categorized and processed, improving the ability to detect anomalies or unauthorized access. By distinguishing ASN-specific actions, the invention enhances network visibility and control, particularly in environments where ASNs play a key role in routing and security policies. This approach can be integrated into existing network monitoring systems to provide more detailed and accurate insights into ASN-related activities. The method is designed to work with various network protocols and infrastructure components, ensuring broad applicability in different network environments.
6. The method according to claim 1, wherein the action type for a given action comprises loading a shared library, and wherein the entity for the given action comprises a shared library having respective name.
This invention relates to computer security, specifically detecting and analyzing actions involving shared libraries in software execution. The problem addressed is the need to monitor and control the loading of shared libraries to prevent unauthorized or malicious access to system resources. Shared libraries are dynamic link libraries (DLLs) or similar executable modules that can be loaded at runtime, and improper handling of these libraries can lead to security vulnerabilities. The method involves tracking actions performed by a software application, where one such action is the loading of a shared library. For each action, the system identifies the action type (in this case, loading a shared library) and the specific entity involved (the name of the shared library being loaded). This allows the system to enforce security policies, such as restricting access to certain libraries or detecting unauthorized attempts to load them. The method may also include additional steps such as validating the library's integrity, checking its digital signature, or logging the action for auditing purposes. By monitoring these actions, the system can enhance security by preventing the execution of untrusted or malicious code. The approach is particularly useful in environments where multiple applications share system resources and where unauthorized library loading could compromise system integrity.
7. The method according to claim 1, wherein the action type for a given action comprises accessing a file, and wherein the entity for the given action comprises a file having a file name.
A system and method for monitoring and analyzing file access actions within a computing environment. The technology addresses the need to track and manage file access operations to enhance security, compliance, and operational efficiency. The method involves detecting and recording file access events, where each event includes an action type and an associated entity. Specifically, the action type for a given file access event is defined as accessing a file, and the entity for that event is identified by the file name of the accessed file. The system captures these details to enable detailed auditing, threat detection, and policy enforcement. By associating file access actions with specific file names, the method provides granular visibility into file interactions, allowing organizations to monitor unauthorized access, detect anomalies, and enforce access controls. The solution integrates with existing security frameworks to improve data protection and operational transparency. The method supports various file systems and storage environments, ensuring broad applicability across different computing infrastructures. The recorded file access events can be analyzed in real-time or retrospectively to identify patterns, enforce compliance, and mitigate risks. The system enhances security by correlating file access actions with user identities, timestamps, and other contextual data, providing a comprehensive view of file interactions within the environment.
8. The method according to claim 1, wherein the action type for a given action comprises accessing a key in a registry, and wherein the entity for the given action comprises a registry key having a key name.
This invention relates to a method for managing actions in a computing system, specifically focusing on registry key access operations. The method involves defining actions that interact with a system registry, where each action includes an action type and an entity. The action type specifies the operation to be performed, such as accessing a registry key, while the entity identifies the target of the action, in this case, a registry key with a defined key name. The method ensures that actions are executed in a controlled manner, allowing for precise manipulation of registry keys. This approach is useful in system administration, software installation, or configuration management, where registry access must be carefully monitored and executed. The invention addresses the need for secure and efficient registry operations, reducing the risk of unauthorized or erroneous modifications to critical system settings. By structuring actions with explicit types and entities, the method provides a systematic way to handle registry interactions, improving reliability and maintainability in system management tasks.
9. The method according to claim 1, wherein the action type for a given action comprises convey a system call to an operating system, and wherein the entity for the given action comprises a system call having a system call name.
This invention relates to a method for processing system calls in an operating system environment. The method addresses the challenge of efficiently managing and tracking system calls, which are critical for communication between software applications and the operating system. The invention provides a structured approach to defining and executing system calls, ensuring clarity and consistency in their handling. The method involves identifying an action type for a given system call, where the action type specifies that the system call should be conveyed to the operating system. Additionally, the method defines the entity associated with the given action as the system call itself, which includes a system call name. This naming convention allows for precise identification and categorization of system calls, facilitating better system monitoring, debugging, and security analysis. By explicitly associating system calls with their respective names and action types, the method improves the reliability and traceability of system operations. This structured approach helps developers and system administrators better understand and manage system interactions, reducing errors and enhancing performance. The invention is particularly useful in environments where system calls are frequent and complex, such as in high-performance computing or real-time systems.
10. The method according to claim 1, wherein computing given feature comprises computing a count of the sources.
This invention relates to a method for analyzing data sources to determine a feature count, addressing the need for efficient and accurate quantification of source contributions in data processing systems. The method involves processing a plurality of data sources to extract relevant information, where each source contributes to the overall dataset. A key aspect is computing a specific feature by determining the count of these sources, which provides a quantitative measure of source participation. This count can be used for various analytical purposes, such as assessing data diversity, identifying dominant sources, or validating data integrity. The method ensures that the feature computation is precise and scalable, accommodating large datasets with multiple sources. By focusing on source count as a feature, the invention enables better decision-making in applications like data aggregation, anomaly detection, and source reliability analysis. The approach is particularly useful in environments where understanding the distribution and contribution of data sources is critical, such as in big data analytics, network monitoring, or distributed computing systems. The method may also include additional steps like filtering sources, normalizing data, or applying statistical techniques to enhance the accuracy of the feature computation. The overall goal is to provide a robust and efficient way to quantify source contributions, improving the reliability and interpretability of data-driven insights.
11. The method according to claim 1, wherein computing given feature comprises computing a count of the sources comprising at least one host computer in the set executing a given instance of the software application.
This invention relates to software application monitoring and analysis, specifically tracking the execution of software applications across multiple host computers. The problem addressed is the need to accurately determine the distribution and usage of software applications in a networked computing environment, particularly when multiple instances of the same application are running on different hosts. The method involves analyzing a set of host computers to identify those executing a specific instance of a software application. A feature is computed by counting the number of sources (host computers) in the set that are running the given instance. This count provides insights into the deployment and usage patterns of the software application, helping administrators monitor performance, resource allocation, and potential security risks. The method may also include additional steps such as identifying the set of host computers, determining the software applications running on each host, and classifying the instances of the software application. These steps ensure that the analysis is comprehensive and accurate, capturing all relevant data points for the feature computation. The computed feature can then be used for further analysis, reporting, or decision-making in managing the software application's lifecycle.
12. The method according to claim 1, wherein for each given action type, computing a given feature comprises computing a count of the host computers in the set executing a given instance of the software application that performed a given action comprising the given action type.
This invention relates to monitoring and analyzing software application behavior across multiple host computers in a networked environment. The problem addressed is the need to efficiently track and quantify specific actions performed by software applications to detect anomalies, security threats, or performance issues. The method involves monitoring software applications running on multiple host computers to collect data about their actions. For each type of action (e.g., file access, network communication, process execution), the system computes a feature representing the count of host computers executing a specific instance of the software application that performed that action. This allows for statistical analysis of how widely or narrowly a particular action is occurring across the network. By aggregating these counts, the system can identify patterns, such as an unusual spike in a specific action type, which may indicate a security breach or misconfiguration. The method supports real-time or batch processing of action data to generate insights for security monitoring, compliance, or operational optimization. The approach is scalable, as it can handle large-scale deployments with thousands of host computers while maintaining granular visibility into application behavior.
13. The method according to claim 1, wherein for each given action type, computing a given feature comprises computing a count of the sources comprising at least one host computer in the set that performed a given action comprising the given action type.
This invention relates to cybersecurity monitoring systems that analyze network activity to detect potential threats. The problem addressed is the need to efficiently identify suspicious behavior by tracking actions performed by host computers within a network. The invention provides a method for computing features that quantify the frequency of specific action types across multiple sources, where each source represents a group of host computers. For each defined action type, the method calculates a count of sources that include at least one host computer performing that action. This count helps assess the prevalence of the action type across the network, enabling threat detection by identifying unusual patterns or anomalies. The method may be applied to various action types, such as network connections, file access, or command executions, and can be used to generate metrics for machine learning models or rule-based systems that evaluate network security. The approach improves threat detection by focusing on the distribution of actions across sources rather than individual hosts, reducing false positives and enhancing the accuracy of security alerts. The invention is particularly useful in enterprise environments where monitoring large-scale networks is critical for identifying coordinated attacks or compromised systems.
14. The method according to claim 1, wherein for each given normalized action, computing a given feature comprises computing a count of the sources comprising at least one host computer in the set that performed the given normalized action.
This invention relates to cybersecurity and network monitoring, specifically to analyzing network activity to detect potential threats. The problem addressed is the need to efficiently identify suspicious behavior by tracking and quantifying actions performed across multiple host computers in a network. The invention provides a method for computing features that represent the frequency of specific actions observed in network traffic, helping to detect anomalies or malicious activity. The method involves normalizing actions observed in network traffic, meaning converting raw network events into standardized action types. For each normalized action, a feature is computed by counting how many distinct sources (e.g., host computers or devices) in a predefined set performed that action. This count helps quantify the prevalence of the action across the network, which can indicate abnormal or coordinated behavior. The method may also involve aggregating these counts over time or across different subsets of hosts to refine threat detection. By analyzing these computed features, security systems can identify patterns that deviate from normal network behavior, such as an unusual spike in a specific action performed by multiple hosts, which may signal an attack. The invention improves threat detection by providing a scalable and precise way to measure action frequency across network sources.
15. The method according to claim 1, wherein computing a given feature comprises computing a count of distinct normalized actions.
The invention relates to a method for analyzing user behavior by computing features from user actions, particularly focusing on distinct normalized actions. The method addresses the challenge of accurately quantifying user interactions in a way that reduces noise and improves the reliability of behavioral analysis. By normalizing actions, the method standardizes different types of user inputs, making them comparable. The count of distinct normalized actions is then computed to derive a feature that represents the diversity or uniqueness of a user's behavior. This feature can be used in various applications, such as user profiling, anomaly detection, or personalized recommendations. The normalization process ensures that variations in input methods or formats do not skew the analysis, while the distinct count provides a concise metric for evaluating behavior patterns. This approach enhances the precision of behavioral models by focusing on meaningful differences in user actions rather than superficial variations. The method is particularly useful in systems where user behavior is monitored over time, such as in cybersecurity, user experience optimization, or adaptive interfaces. By isolating distinct actions, the method enables more accurate tracking of behavioral trends and deviations.
16. The method according to claim 1, wherein for a given source, computing a given feature comprises computing a first count of distinct normalized actions performed by instances of the software application executing on the host computers at the given source, computing respective second counts of distinct normalized actions performed by instances of the software application executing on the host computers at each of the sources other than the given source, computing an average of the second counts, and comparing the first count to the computed average.
This invention relates to analyzing software application behavior across multiple host computers to detect anomalies. The problem addressed is identifying unusual activity patterns in software execution that may indicate security threats or operational issues. The method involves monitoring software applications running on multiple host computers and normalizing the actions performed by these applications to a standardized format. For a specific host computer (source), the method computes a count of distinct normalized actions performed by the software application on that host. It then calculates counts of distinct normalized actions for the same software application on other host computers, computes the average of these counts, and compares the count from the specific host to this average. If the count deviates significantly from the average, it may indicate anomalous behavior. This approach helps detect deviations in software behavior that could signal potential security breaches or performance issues, allowing for early intervention. The method is particularly useful in environments where multiple instances of the same software run on different hosts, requiring consistent monitoring to ensure security and reliability.
17. The method according to claim 1, wherein for each given action type, computing a given feature comprises computing a count of the sources having at least one host computer in the set executing a given instance of the software application that performed a given action comprising the given action type.
This invention relates to analyzing software application behavior across multiple host computers to detect anomalies or security threats. The method involves monitoring software applications executing on host computers within a network, where each application performs various actions of different types. For each action type, the method computes a feature by counting the number of sources (e.g., users, processes, or systems) that have at least one host computer executing an instance of the software application that performed an action of that type. This count helps identify patterns or deviations in application behavior, which can indicate potential security risks, such as unauthorized access or malicious activity. The method aggregates these counts to generate a feature vector representing the behavior of the software application, which can then be used for further analysis, such as anomaly detection or threat classification. The approach improves security monitoring by providing a quantitative measure of how widely specific actions are performed across different sources, enabling more accurate detection of abnormal or malicious behavior.
18. The method according to claim 1, wherein for each given normalized action, computing a given feature comprises computing a count of the sources having at least one host computer in the set executing a given instance of the software application that performed the given normalized action.
This invention relates to analyzing software application behavior across multiple host computers to detect anomalies or security threats. The problem addressed is the need to efficiently identify patterns of activity that may indicate malicious behavior, such as unauthorized access or data exfiltration, by aggregating and analyzing actions performed by software applications across a network of host computers. The method involves normalizing actions performed by software applications running on host computers, where normalization standardizes the actions to a common format for comparison. For each normalized action, a feature is computed by counting the number of sources (e.g., host computers or users) that have at least one host computer executing an instance of the software application that performed the given normalized action. This count helps quantify the prevalence of the action across the network, which can be used to detect unusual or suspicious behavior. The method may also involve aggregating these features over time or across different hosts to identify trends or anomalies. The analysis can be used to generate alerts or trigger further investigation when certain thresholds or patterns are detected. The approach improves threat detection by leveraging distributed data to identify coordinated or widespread malicious activities that might otherwise go unnoticed.
19. The method according to claim 1, wherein for each given normalized action, computing a given feature comprises computing a count of the host computers in the set executing a given instance of the software application that performed the given normalized action.
This invention relates to monitoring and analyzing software application behavior across multiple host computers in a networked environment. The problem addressed is the need to efficiently track and quantify specific actions performed by software applications to detect anomalies, security threats, or performance issues. The method involves normalizing actions performed by software applications running on multiple host computers, meaning converting diverse actions into a standardized format for comparison. For each normalized action, a feature is computed by counting how many host computers in a predefined set executed a specific instance of the software application that performed that action. This count helps identify patterns, such as whether an action is widespread or isolated to a few hosts, which can indicate normal behavior or potential issues like malware propagation or misconfigurations. The method may also involve aggregating these counts over time or across different software instances to provide deeper insights into application behavior. The approach enables automated detection of deviations from expected behavior, improving system security and reliability.
20. The method according to claim 1, wherein for each given source, computing a given feature comprises computing a count of the host computers in the set executing a given instance of the software application.
This invention relates to monitoring software application execution across multiple host computers in a networked environment. The problem addressed is the need to efficiently track and analyze software application instances running on distributed host computers to assess deployment, usage, or security risks. The method involves collecting data from a set of host computers executing a software application. For each software application instance detected, the method computes features that characterize its execution. A key feature is the count of host computers in the set that are running a specific instance of the software application. This count helps determine the prevalence or distribution of the software instance across the network. The method may also compute other features, such as the number of unique software applications or instances detected, or the frequency of execution. The computed features are then used to generate insights, such as identifying widely deployed applications, detecting anomalies, or assessing compliance with software policies. The approach enables centralized monitoring of software execution patterns, allowing administrators to track application usage, enforce policies, or detect potential security threats based on the distribution of software instances across host computers. The method is particularly useful in large-scale environments where manual tracking is impractical.
21. The method according to claim 1, wherein for each combination comprising a given source and a given normalized action, computing a given feature comprises computing a count of the host computers in in the given source that performed the given normalized action.
This invention relates to cybersecurity and threat detection, specifically analyzing host computer behavior to identify potential security threats. The problem addressed is the difficulty in detecting malicious activity by monitoring and quantifying specific actions performed by host computers across different sources. The invention provides a method for computing features that represent the frequency of normalized actions performed by host computers in a given source, enabling more accurate threat detection. The method involves normalizing actions performed by host computers, such as file access, process execution, or network communication, into a standardized format. For each combination of a source (e.g., a specific host, network segment, or time window) and a normalized action, the method computes a feature by counting how many host computers in that source performed the given action. This count is used to generate a feature vector that characterizes the behavior of the source. The feature vector can then be analyzed to detect anomalies or patterns indicative of malicious activity, such as a sudden increase in a particular action across multiple hosts. By quantifying the prevalence of actions within a source, the method improves threat detection by identifying deviations from normal behavior. This approach helps security systems distinguish between legitimate and suspicious activities, enhancing the accuracy of threat detection mechanisms. The method can be applied in various cybersecurity applications, including intrusion detection, malware analysis, and network monitoring.
22. The method according to claim 1, wherein for each combination comprising a given source and a given action type, computing a given feature comprises computing a count of the host computers in in the given source that performed a given normalized action comprising the given action type.
This invention relates to cybersecurity and threat detection, specifically analyzing host computer behavior to identify potential malicious activity. The problem addressed is the difficulty in detecting threats by correlating actions across multiple host computers, particularly when actions are performed in different ways but represent the same underlying malicious behavior. The method involves monitoring host computers to collect action data, where each action is associated with a source (e.g., a specific host or group of hosts) and an action type (e.g., file deletion, process execution). To normalize variations in how actions are performed, the method categorizes actions into normalized action types, which group similar actions regardless of minor differences. For each combination of a source and a normalized action type, the method computes a feature by counting how many host computers in that source performed the normalized action. This count is used to assess whether the behavior is anomalous or indicative of a coordinated attack. The method also includes aggregating these features across multiple sources to detect patterns of malicious activity that span multiple hosts. By analyzing these counts, security systems can identify potential threats that would otherwise be missed if actions were evaluated in isolation. The approach improves threat detection by reducing false positives and increasing the accuracy of identifying coordinated attacks.
23. The method according to claim 1, wherein for each source, computing a given feature comprises computing a count of different normalized actions performed by the software application executing on the host computers belonging to the given source.
This invention relates to monitoring software applications across multiple host computers to detect anomalies or malicious behavior. The problem addressed is the need to efficiently analyze software application behavior across distributed systems to identify deviations from normal operation, which may indicate security threats or performance issues. The method involves collecting data from multiple host computers, where each host computer runs a software application. The data includes actions performed by the software applications, which are then normalized to a standardized format. For each source (e.g., a group of host computers or a specific application instance), the method computes a feature representing the count of different normalized actions performed by the software application. This feature helps quantify the diversity of actions, which can be used to detect unusual behavior patterns. The method may also include aggregating data from multiple sources to compute additional features, such as the total number of actions or the frequency of specific actions. These features are then used to build a model that distinguishes normal behavior from anomalies, enabling early detection of potential security risks or system failures. The approach improves threat detection by leveraging behavioral diversity across distributed environments.
24. The method according to claim 1, wherein for each source, computing a given feature comprises computing a count of the host computers belonging to the given source.
The invention relates to a method for analyzing network traffic to detect potential security threats by evaluating features of data sources. The method addresses the challenge of identifying malicious activity in network communications by quantifying the behavior of different data sources, such as IP addresses or domains, to distinguish between legitimate and suspicious traffic patterns. The method involves processing network traffic data to extract features for each source, where a source refers to an entity like a host computer, IP address, or domain. One key feature computed for each source is the count of host computers associated with that source. This count helps assess the scale and potential risk of the source by determining how many distinct hosts are interacting with it. A higher count may indicate a broader attack surface or a more significant threat, while a lower count may suggest more targeted or isolated activity. By analyzing this feature alongside others, the method enables security systems to detect anomalies, such as an unusually high number of hosts connecting to a single source, which could signal a distributed attack or compromised infrastructure. The method supports threat detection by providing quantitative metrics that improve the accuracy of identifying malicious sources in network traffic.
25. The method according to claim 1, wherein the host computers execute multiple software applications having respective names, and further comprising normalizing the names, wherein the instances of the specific software application comprising the instances of the software application having identical normalized names.
This invention relates to a method for identifying and managing instances of specific software applications running on multiple host computers in a networked environment. The problem addressed is the challenge of accurately identifying and tracking software applications across different hosts, particularly when application names may vary due to formatting differences, version numbers, or other inconsistencies. The method involves executing multiple software applications on host computers, where each application has a respective name. To ensure consistent identification, the names of these applications are normalized, meaning they are converted into a standardized format that removes variations such as case differences, extra spaces, or version suffixes. By normalizing the names, instances of the specific software application can be identified as those with identical normalized names, regardless of how they were originally named on different hosts. This allows for accurate tracking and management of software deployments across the network. The normalization process ensures that even if the same application is listed under slightly different names (e.g., "App1" vs. "app1" or "App1_v2.0"), they will be recognized as the same application. This method improves software inventory accuracy, simplifies compliance checks, and enhances the ability to apply updates or patches uniformly across all instances of the same application. The technique is particularly useful in large-scale IT environments where manual tracking of software instances is impractical.
26. The method according to claim 1, wherein collecting the information for a given action performed by a given instance on a given host computer comprises detecting, by an endpoint agent executing on the host computer, the given action performed by the given instance, extracting, by the endpoint agent, the information for the given action, conveying by the endpoint agent the extracted information, and receiving, by the processor, the conveyed information.
This invention relates to endpoint security systems that monitor and analyze actions performed by software instances on host computers. The problem addressed is the need for accurate and detailed collection of action data to detect and respond to security threats, such as malware or unauthorized activities, in real-time. The system includes an endpoint agent installed on a host computer, which detects actions performed by software instances running on that host. The agent extracts relevant information about each detected action, such as the type of action, the instance performing it, and the host computer involved. The extracted information is then conveyed to a central processor, which receives and processes the data for further analysis. This enables the system to correlate actions across multiple hosts, identify suspicious patterns, and trigger appropriate security responses. The endpoint agent operates locally on the host, ensuring low-latency detection and minimizing network overhead. The central processor aggregates data from multiple agents, allowing for comprehensive threat detection and response coordination. This approach enhances visibility into system activities and improves the ability to detect and mitigate security threats efficiently.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 5, 2022
April 23, 2024
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.